Ready for GDPR? Read our helpful guide and FAQs for VCSE groups

Image Credit:

Photo by City of Seattle Community Tech CC BY-NC 2.0

23 January, 2018

By now, most people will have heard about the EU's General Data Protection Regulation (GDPR) which is coming into force in May 2018, but do you understand what it means in practice for your group/organisation?

Following a number of inquiries from our members and other VCSE contacts, Voscur has put together answers to the following FAQs for organisations to use as an introductory guide to GDPR. We have included links to external sources which explain the answers further and listed useful definitions at the beginning of this guide.

Information found in this document is not legal advice and is to be used as a guide and a brief summary. We advise you also check the Information Commissioners Office website or seek legal advice so you can make sound decisions based on the work that you do. Trust Law has a great opportunity for businesses in the VCSE sector to get free legal support.

Definitions

Data Processor – Is responsible for processing personal data on behalf of a controller.

GDPR – General Data Protection Regulation is a piece of regulation brought in by the EU which replaces previous data protection legislation, in the UK this is the Data Protection Act (DPA). The UK is still required to comply with GDPR even after Brexit.

Legal entity – A company or organisation that has legal rights and responsibilities.

Personal data – Any information which can be used to identify an individual.

Opt-in Consent – Where positive action is taken to demonstrate agreement.

Legitimate Interest – Where someone’s consent has not been explicitly given but is assumed based on what they might reasonably expect it to be used for.

Questions

1. What is GDPR?

GDPR stands for General Data Protection Regulation and comes into law in May 2018. It replaces the regulation in the 1998 Data Protection Act and extends the duties of any organisation or individual (e.g. sole trader) who uses personal data (such as name, contact information, employment information) that relates to a known, living human being. It is recognised that it may take some time to make all systems fully compliant however, the ICO will want to see organisations are taking reasonable steps towards this compliance and have a plan in place, and “working towards” compliance may not be an adequate explanation for problems if they happen after May 2018

2. Why has GDPR come about now?

The regulations have been devised to take into account how electronic data and the internet are being used in practice. The capabilities for using, holding and working with data have changed massively over the last 20 years. The Information Commissioner’s role is to ensure that individuals have appropriate rights and ownership over their own data.

3. Does GDPR apply to our organisation?

Almost definitely! GDPR applies to anyone who controls, uses or works with data. These definitions are similar to those under the existing Data Protection Act (DPA); a controller is the person, people or organisation who decides how and why personal data is stored and used; whereas the processor is a person, persons or organisation who acts on their behalf. Both a controller and processor can be a legal entity (for example a VCSE organisation or business) or natural person (an individual) and are often both. For example, an organisation which collects information about service users and analyses it for their internal monitoring would be both a controller and processor.

4. How do we know if the data we hold is covered by GDPR? What is ‘personal data’?

The regulations cover everything that could be classed as personal data, both electronic and manual filing systems. People have the right to know who is storing their data, why the information is being kept and how it will be used. Importantly, they also have a right to have access to their personal data. Personal data is any information which could identify a living individual (including an Internet Provider (IP) address which identifies individual computers). This is broader than under the existing DPA regulations. The following are considered personal data (this list is not exhaustive):

Name

Home address

Email address

Phone number

Computer IP address

Job title

Photograph

Work email if it obviously directs to a particular person (e.g. katie@voscur.org)

Work mobile telephone if it goes to the same individual (NOT an office telephone if that could go to several people.)

5. What is data processing?

Data processing is a broad term which covers the obtaining, recording, holding and carrying out operations or analysis of information or data. Generally, this includes: adapting, altering, combining, destroying, disclosing, organising, recording or using data. Some examples of data processing are:

Storing information about historical donors to your organisation (so you can contact them again in the future);

Keeping names and addresses of people who’ve used your services in the past (i.e. for monitoring and reporting purposes) or are members of your group/organisation.

6. What is our lawful basis for the processing we do?

GDPR says that before processing personal data you need to establish a lawful basis for processing the information. The main legal basis is likely to be having consent from the individual. In some instances, it is possible to use legitimate interest as the lawful basis. Other foundations for processing include situations where processing is necessary to:

Perform a contract entered into with the data subject;

Comply with a legal obligation;

Protect the vital interests of a data subject or another person;

Perform a task in the public interest or to exercise an official authority vested in the controller.

Your lawful basis for processing needs to be stated within your privacy policy.

7. What is the difference between the types of consent?

Many organisations currently rely on opt-out or implied consent as their lawful basis for processing, meaning they assume someone provides consent by that individual’s use of a website or service. GDPR gives more power to individuals and this type of consent will no longer be sufficient. Instead, consent needs to be given by the individual actively choosing to agree, or through legitimate interest.

a. Opt-in consent requires positive action to demonstrate permission. Such permission must be freely given, specific, informed and unambiguous. This means that the individual has to be provided information on what is happening to their data (usually in the form of a privacy policy) and their rights to withdraw or change consent. A positive action could be ticking a box or responding to a yes/no question.

b. Legitimate interest is more complex so if you want to use this lawful basis in order to process personal data you may need to seek legal advice to make sure you are acting in compliance. This consent can be used, for example, when you do not have explicit consent from the data subject to process their data, but you feel the individual would have reasonably expected their personal information to be used in this manner and could, in fact, benefit from such use. For example, if someone subscribes to your organisation’s monthly newsletter (gives their consent for you to send it to them), it may be a reasonable expectation that they would also like to receive your annual report. Legitimate interest needs to be assessed on a case by case basis, and you should have sufficient evidence and specific reasoning to back up the decision. It cannot override the rights of the individual.

You can use more than one type of consent when processing data, however, we would recommend you use opt-in.

8. How secure does data need to be?

You need to take appropriate measures to ensure data is handled securely, protected against unauthorised and unlawful processing, and accidental loss or damage. This means organisations need to have policies, training and governance in place to protect data, and also technical measures in place to protect systems. The ICO provides guidance on IT security for small businesses which should also be applicable to voluntary organisations and charities.

9. What if another company host or manage our website?

This is allowed but needs to be explicitly said in a privacy policy. This includes, which third-party organisations are processing data and in what way. It is the Data Controller’s responsibility to check they are satisfied with any partner organisations’ privacy policies and procedures to ensure data is kept securely.

10. What about when we use external services like social media, Eventbrite, SurveyMonkey, MailChimp?

This is a grey area and so we recommend you read about this further when the ICO update their guidelines which they currently do each month. All the same principles of control and processing apply to social media – but extra care needs to be taken to identify where responsibilities lie. For example, if you use Twitter or Facebook, you need to create an account to publish, so your personal data will be held by the platform, as will the personal data of people who choose to follow you, join a group, etc. The responsibility is therefore with the platform. However, if you download an analysis of your Twitter followers (their names and Twitter IDs), you then potentially control and process personal data and need to do so in compliance with GDPR. Many social media platforms publish their data handling and privacy policies, and these should be considered when using a particular platform for different client groups.

11. Does GDPR cover data and contacts we have from people who email us?

Yes – all personal data which can identify someone is covered, including emails and contacts. So the same standards of security and confidentiality apply.

12. Does our organisation need a named Data Protection Officer?

It is unlikely you will need an officer but it can be useful to appoint someone to ensure compliance. Under the GDPR, you do need to appoint a data protection officer (DPO) if you are a public authority (except for courts acting in their judicial capacity); carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking); or carry out large-scale processing of special categories of data (i.e. sensitive data such as health, religion, race, sexual orientation etc.) or data relating to criminal convictions and offences.

13. Organisations with over 250 employees are affected differently - what’s the difference?

This is to do with how thorough record keeping of processing is. If your organisation has more than 250 employees then you need to maintain internal records of processing. If you have less than 250 employees then you only need to maintain internal records of high-risk processing, for example processing personal data which could risk the rights and freedoms of individuals or the processing of special categories of data or criminal convictions and offences.

14. We’re not an incorporated company or constituted group – does it apply to us?

Yes – it applies to any organisation, business or group who are using, storing or processing personal data. As with other financial or legal risks to unincorporated groups, the responsibility will rest with the individual management committee members or directors, rather than the group or organisation as a legal entity in itself. For further guidance about the responsibilities of unincorporated groups, visit WCVA or ABI.

15. Do we need to register with the ICO and get an official registration number/ID?

Sort of - under existing legislation, an obligation exists for data controllers to register with the ICO, but this requirement has now changed under GDPR. Data controllers are now required to pay a data protection fee, as opposed to registering with the ICO. Fundamentally this means little will change, data controllers will still need to pay the ICO, however, the reason behind the payment has now changed. You can find more information about these changes through this link.

If you would like further information on GDPR then we recommend these links from the ICO: